unbound giving SERVFAIL behind OpenStack

[George Thessalonikefs]

Hi Felipe,

I don't see something wrong.
Unbound tries to resolve something and it gets these answers from 
upstreams that are marked as THROWAWAY (SERVFAIL I assume from the 
domain name).

There is a limit on how many times a certain upstream server is going to 
be asked (OUTBOUND_MSG_RETRY) and there is a further limit on how many 
queries are allowed to be sent totally (MAX_SENT_COUNT). The latter one 
is useful for cases when a domain has a long list of nameservers that 
mainly provide THROWAWAY answers.

Best regards,
-- George

On 25/05/2021 22:15, Felipe Gasper via Unbound-users wrote:
> Hi all,
> 
> 	I’m finding that from a VM in our OpenStack cluster if I `unbound-host` against an instance name of any VM, the query comes back SERVFAIL. When I do `unbound-host -dd $instance_name` I get a bit more detail:
> 
> -----
> ..snip..
> [1621971918] libunbound[6945:0] info: processQueryTargets: servfail.cptest.tld. A IN
> [1621971918] libunbound[6945:0] debug: request has exceeded the maximum number of sends with 33
> [1621971918] libunbound[6945:0] debug: return error response SERVFAIL
> [1621971918] libunbound[6945:0] debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
> [1621971918] libunbound[6945:0] info: validator operate: query servfail.cptest.tld. A IN
> Host servfail.cptest.tld not found: 2(SERVFAIL).
> -----
> 
> This is at the end of a chain of I guess 33 or so queries, each one apparently targeting a different DNS root server.
> 
> When I use any other name in the .tld domain, I get the expected NXDOMAIN response.
> 
> Unbound isn’t waiting any appreciable length of time before sending those other queries; just for some reason those specific names cause it to send tons of parallel queries. It looks like that MAX_SENT_COUNT isn’t configurable, so I’m wondering if there’s some undesirable behaviour here on Unbound’s part?
> 
> Thank you!
> 
> -FG
>